diff mbox series

[v2] hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel when dlc is out of std CAN 8 bytes

Message ID 20210729123327.14650-1-pisa@cmp.felk.cvut.cz (mailing list archive)
State New, archived
Headers show
Series [v2] hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel when dlc is out of std CAN 8 bytes | expand

Commit Message

Pavel Pisa July 29, 2021, 12:33 p.m. UTC 
Problem reported by openEuler fuzz-sig group.

The buff2frame_bas function (hw\net\can\can_sja1000.c)
infoleak(qemu5.x~qemu6.x) or stack-overflow(qemu 4.x).

Reported-by: Qiang Ning <ningqiang1@huawei.com>
Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
---
 hw/net/can/can_sja1000.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Philippe Mathieu-Daudé July 29, 2021, 12:48 p.m. UTC | #1 
"hw/net/can: sja1000 fix buff2frame* when dlc is out of std CAN 8 bytes"

On 7/29/21 2:33 PM, Pavel Pisa wrote:
> Problem reported by openEuler fuzz-sig group.
> 
> The buff2frame_bas function (hw\net\can\can_sja1000.c)
> infoleak(qemu5.x~qemu6.x) or stack-overflow(qemu 4.x).

Cc: qemu-stable@nongnu.org

> Reported-by: Qiang Ning <ningqiang1@huawei.com>
> Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

> ---
>  hw/net/can/can_sja1000.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/hw/net/can/can_sja1000.c b/hw/net/can/can_sja1000.c
> index 42d2f99dfb..34eea684ce 100644
> --- a/hw/net/can/can_sja1000.c
> +++ b/hw/net/can/can_sja1000.c
> @@ -275,6 +275,10 @@ static void buff2frame_pel(const uint8_t *buff, qemu_can_frame *frame)
>      }
>      frame->can_dlc = buff[0] & 0x0f;
>  
> +    if (frame->can_dlc > 8) {
> +        frame->can_dlc = 8;
> +    }
> +
>      if (buff[0] & 0x80) { /* Extended */
>          frame->can_id |= QEMU_CAN_EFF_FLAG;
>          frame->can_id |= buff[1] << 21; /* ID.28~ID.21 */
> @@ -311,6 +315,10 @@ static void buff2frame_bas(const uint8_t *buff, qemu_can_frame *frame)
>      }
>      frame->can_dlc = buff[1] & 0x0f;
>  
> +    if (frame->can_dlc > 8) {
> +        frame->can_dlc = 8;
> +    }
> +
>      for (i = 0; i < frame->can_dlc; i++) {
>          frame->data[i] = buff[2 + i];
>      }
>
Jason Wang Aug. 2, 2021, 4:03 a.m. UTC | #2 
在 2021/7/29 下午8:48, Philippe Mathieu-Daudé 写道:
> "hw/net/can: sja1000 fix buff2frame* when dlc is out of std CAN 8 bytes"
>
> On 7/29/21 2:33 PM, Pavel Pisa wrote:
>> Problem reported by openEuler fuzz-sig group.
>>
>> The buff2frame_bas function (hw\net\can\can_sja1000.c)
>> infoleak(qemu5.x~qemu6.x) or stack-overflow(qemu 4.x).
> Cc: qemu-stable@nongnu.org
>
>> Reported-by: Qiang Ning <ningqiang1@huawei.com>
>> Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>


Applied.

Thanks


>
>> ---
>>   hw/net/can/can_sja1000.c | 8 ++++++++
>>   1 file changed, 8 insertions(+)
>>
>> diff --git a/hw/net/can/can_sja1000.c b/hw/net/can/can_sja1000.c
>> index 42d2f99dfb..34eea684ce 100644
>> --- a/hw/net/can/can_sja1000.c
>> +++ b/hw/net/can/can_sja1000.c
>> @@ -275,6 +275,10 @@ static void buff2frame_pel(const uint8_t *buff, qemu_can_frame *frame)
>>       }
>>       frame->can_dlc = buff[0] & 0x0f;
>>   
>> +    if (frame->can_dlc > 8) {
>> +        frame->can_dlc = 8;
>> +    }
>> +
>>       if (buff[0] & 0x80) { /* Extended */
>>           frame->can_id |= QEMU_CAN_EFF_FLAG;
>>           frame->can_id |= buff[1] << 21; /* ID.28~ID.21 */
>> @@ -311,6 +315,10 @@ static void buff2frame_bas(const uint8_t *buff, qemu_can_frame *frame)
>>       }
>>       frame->can_dlc = buff[1] & 0x0f;
>>   
>> +    if (frame->can_dlc > 8) {
>> +        frame->can_dlc = 8;
>> +    }
>> +
>>       for (i = 0; i < frame->can_dlc; i++) {
>>           frame->data[i] = buff[2 + i];
>>       }
>>
diff mbox series

Patch

diff --git a/hw/net/can/can_sja1000.c b/hw/net/can/can_sja1000.c
index 42d2f99dfb..34eea684ce 100644
--- a/hw/net/can/can_sja1000.c
+++ b/hw/net/can/can_sja1000.c
@@ -275,6 +275,10 @@  static void buff2frame_pel(const uint8_t *buff, qemu_can_frame *frame)
     }
     frame->can_dlc = buff[0] & 0x0f;
 
+    if (frame->can_dlc > 8) {
+        frame->can_dlc = 8;
+    }
+
     if (buff[0] & 0x80) { /* Extended */
         frame->can_id |= QEMU_CAN_EFF_FLAG;
         frame->can_id |= buff[1] << 21; /* ID.28~ID.21 */
@@ -311,6 +315,10 @@  static void buff2frame_bas(const uint8_t *buff, qemu_can_frame *frame)
     }
     frame->can_dlc = buff[1] & 0x0f;
 
+    if (frame->can_dlc > 8) {
+        frame->can_dlc = 8;
+    }
+
     for (i = 0; i < frame->can_dlc; i++) {
         frame->data[i] = buff[2 + i];
     }